Slashdot Mirror
US One Step Closer To Electric Grid Cyberguards
coondoggie writes "The US Department of Energy this week officially opened up the bidding for a National Electric Sector Cyber Security Organization that would protect the nation's electrical grid from cyber attacks. According to the DOE, the agency has set an aggressive goal to meet the nation's need for a reliable, efficient, and resilient electric power grid, as well as improved accessibility to a variety of energy sources for generation. In order to achieve this, an independent organization is needed (PDF) to provide executive leadership to facilitate research, development, and deployment priorities; identify and disseminate best cybersecurity practices; organize the collection, analysis, monitoring, and dissemination of infrastructure vulnerabilities and threats; and enhance cybersecurity of the electric grid, including control and IT systems."
Disconnect those systems from the internet and make sure the networks they connect to are not connected to the internet.
If they want to be able to monitor, then add sensors as needed and connect that system to the internet.
Dumbasses, all around.
1. Don't put key systems on the internet
2. ???
3. PROFIT!
I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!
If there's no route to the power grid's control computers via the internet, then there's no way that a cyber-attack could affect it. And no, this doesn't mean that power companies can't connect to the internet to accept bill payment or requests to connect/disconnect service - just that they shouldn't allow anything critical to be CONTROLLED over the internet - and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems, which obviously is something that they will want to optimize the power grid and power production to get maximum return on their high capital investments.
Loose things are easy to lose. You're getting your hair cut. They're going there to see their aunt.
This seems similar to the InfraGard initiative, but standard operating procedure dictates our government must form another organization to oversee the preexisting organization that is involved the current organizations et al. Recursive agencies cost us money, and while I do advocate heavier infrastucture protection, hopefully this isn't just another bean-counting expenditure, but instead an operation that actually contributes to our infrastructure security.
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
seems that building an actual reliable & redundant power grid would be a better idea...
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
... who will monitor the cyberguards?
No, we should have both a secure infrastructure and an infrastructure that benefits from connecting to the public Internet. And a public Internet that benefits from connecting to the secure infrastructure.
What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.
The American Way is to do some things because not because they're easy, but because they're hard. Because those hard things yield the greatest rewards. Including proving we can do anything worthwhile we want, even when the easy cop out beckons.
--
make install -not war
Some systems are properly a monopoly. The nation shouldn't have two Army services. In general security for a given political area, like nationwide, statewide or countywide are best (or perhaps just least badly) run by a monopoly governed by officials elected by the people. Certainly at the national level that is the case.
Outsourcing that job to a private corporation to hold the national monopoly is asking for trouble. There will be no pool of private competitors competing for that contract, because the national market supports only one vendor: the one who wins that contract. That circular setup means the benefits of competition to produce the best candidate will not.
There is plenty of room for outsourcing regional security work to vendors actually competing at that scale, if indeed there are multiple vendors of security to large power grids. Let the regional front line vendors compete to keep their contracts. But the monopoly at the top that actually manages those regions into a comprehensive, integrated national infrastructure defense should be within the government. Which is the only monopoly that has a chance to behave properly.
--
make install -not war
Don't connect it to the internet!
"and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems"
:
Knowing that boundary is becoming increasingly difficult with our interconnected society. Not to mention, things like social engineering, rogue media (flash-drives etc...) are increasingly hard to regulate internally. A lot of these security issues also stem off an even more pivotal attack vector, the human element.
The engineers, programmers, and designers may be well aware of security practices and threats, but a blue-collar operator may not be as well versed in these areas. This leads to a crossroads: Do we focus on more 'intelligent systems' that are infallible (as much as they can be, and more than they are now), with the ability to be more secure, regardless of operator skill level? Or the alternative, entailing increased operator training?
Well planned systems are always fallible in the hands of the untrained, so I imagine the best scenario falls somewhere in between, but leaning towards the automated side, for systems are easier and cheaper to maintain in the long run if they are designed solid from the onset.
Which leads to a paradox. Contract bidding usually goes the cheapest route, which is almost always not the highest of quality. With these contractors spitting out unrefined systems at minimal-effort-maximal-profit mentality, we will always be behind the power curve (so to speak).
In the end, if and when an infrastructure attack does hit us hard, I imagine there will be less regret of preventative measures, and more blame flaming, for that is what we do as a country, isn't it?
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
Disconnect those systems from the internet
Remember, a lot of these are old school systems. I know that a lot of remote SCADA (Supervisory Control and Data Acquisition) equipment was never on the Internet. Why? Because it had a modem instead. The electric utilities upgrade their stuff at glacial speed. I bet a lot of that stuff is still out there, and still has a modem connected and has weak to no security.
Computers obey me.
I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!
I work in Industrial Automation, IE the kind that is used in Power Plants, Manufacturing Plants and basically anything else that is automated. The equipment and software is generally controlled by third party manufacturers. Of course as no software is really bug free, these manufacturers are continually releasing updates (although I have reported some of those practices on The DailyWTF) and they release these updates via .. The .. Internet.
Fine, so how do I get my updates in a timely manner? Perhaps I should download from the public internet and walk the software across the air-gap to the secure Internet?? Well that sounds fine and dandy until you consider that right now (while I am slacking off) I am in VA and working on a manufacturing system in SC, so walking that air-gap would take at least a 6 hour, one-way drive just to get to the plant. So we are talking an extra $1000 on top of the project costs just to do a single, simple update.
That kinda screws my effectiveness to do my job. And that is the base argument of why things are connected to the internet - convenience and cost. But the answer is not go backwards and take all the tools away. The answer is to provide better security on the systems that are connected to the Internet
Two thoughts have crossed my mind while I was writing this:
I am Slashdot. Are you Slashdot as well?
What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.
I'm afraid your analogy breaks down because no one is suggesting we don't provide electrical service to homes that have Internet service, which is what your train analogy would imply. They are just suggesting that grid control systems not be run by computers connected to the Internet, which is quite a reasonable proposition.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
I have a great way to protect the power grid against cyber-attacks: Don't connect it to the internet!
Nothing on the grid is, or will be connected to the Internet. Yes, you may find it amazing, but the IT folks in the energy sector have already figured this out, even without your advice! Duh..
However, if you think that's all it takes to secure the grid you're even more naive than you sound.
All of the transmission organizations I've worked with have their grid networks completely isolated from their "business" networks that may have some external connectivity. Most won't even allow a simple serial (as in RS-232) wire connection between these systems to transfer data (it's a royal pain when we need to get data from one network to the other and usually involves some form of sneaker-net).
The problem is that even that level of isolation does not guarantee that these systems can't get hacked into. Some of the equipment on the grid is ancient and the cost to upgrade to something modern is cost prohibitive. Contrary to what most people think, power companies are tightly regulated by public utility commissions. They can't raise rates willy-nilly, so expensive upgrades usually don't get approved. Local politicians don't want their constituents pissed off because they approved a rate increase to enhance the infrastructure.
This is going to be a tough nut to crack and I for one am glad to see that this threat is finally being taken seriously.
Whether anything comes of it will remain to be seen.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
We needed both complete railroad networks, and a governable West. And we got both.
You haven't been to the west, have you?
"The GPL is viral by design, like any good religion."
There are a billion Indians to kill, but they haven't done anything to me so I vote for leaving them alone. Besides, the Pakistanis have dibs from what I've heard.
I still cannot find the droids I am looking for...
I thought Texas was just a honeypot for Teabaggers.
Forget the power grid, all our communication infrastructure is equally if not more vulnerable.
A year ago, all of South San Jose suffered a communication outage due to this intentional fiber sabotage:
http://www.pcworld.com/businesscenter/article/162910/fiber_cuts_slash_silicon_valleys_internet_arteries.html
I was driving south on 101 to Morgan Hill to work. About 3 miles north of my destination, my cell phone call was lost. At work, we had power but no internet, phones, or cell phones. We had radio, that was about it. It was later blamed on the fiber lines cut, which happened coincidentally right after the AT&T union contract had expired. Might as well been a terrorist.
I hate being bipolar; it's awesome!